The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.

HD Moore has done some good analysis on the service as outlined below.

Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?

One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.

So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.

It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.

So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.

According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.

His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.

I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.

If anyone else is already using it, do share with us your thoughts in the comment section below.

I think 99% of users will never notice anything lag difference (if there is indeed any additional), I personally think its useful to have the likes of google offering this kind of service, it could potentially take off the strain or requirements to run internal DNS and give sys admins more time to drink coffee :)

Unfortunately, RTT tends to rule DNS query speeds, and local resolvers are a heck of a lot closer. My measured query latency to Google for a nearby site lookup is .19 seconds. To my local DNS, it’s .01 second for the request. For a random name, (insecure.org) the local resolver took almost .02 seconds and Google took an astonishing 1.20 seconds (mostly in the miss of insecure.org.[my local domain] which is automatically tried first due to the default local domain appending, but whatever, every OS does it). So yeah they have some cool ideas, but I’m not that impressed or switching my default DNS. And yes, I do notice an additional 1.2 second delay every time I hit a new domain while surfing.

I always test new products from google and also currently using googles public dns, its giving much better results then open dns, but the features of open dns like filtering etc. are not supported by google yet.

Hope google will impreove it more and implement it as one of its popular services from google.

Well it matters to users outside of the US, I’m in Malaysia for example and the ISP DNS servers are shite…they are frequently down, slow to respond and sometimes purposely fail to resolve certain sites on order of the government. So I’ve always had the habit of using OpenDNS anyway, this is a valid alternative to me and if Google is using a CDN type setup with a node in SE Asia..it’ll definitely be faster than OpenDNS.

I think its also a decent idea to use these as forwarders on your local DNS, heck you can put open DNS in as well. Thats what I tend to do as the root servers are simply to slow to respond here in Australia most of the time.

My ISP’s DNS is faster than Google or OpenDNS (by maybe 10%) but I would need to make more tests, especially to break down the difference in terms of RTT and DNS speed per se.

Looking at the wild discussion in the US, it would seem that DNSes provided by ISPs over there are not that good. I guess this is because you have 3 zillions ISPs while we have just a handful. All of them have decent DNSes (both speed and stability) and switching to Google would not change much.

An obvious advantage is that you need to remember 8.8.8.8 and 8.8.4.4 (see, I know tham by heart) instead of 984.398.165.26 and 594.365.23.900 (these, for some reason, never worked for me, no matter how hard I tried)

Been using google’s DNS for a couple of weeks now, the improved lag time isn’t really enough to be noticeable, [although it is improved]. What does make a difference is the improved reliability of look-ups.

As for the flaw…well it is only in testing stage. I figure they’ll probably patch that as the uptake on the service improves. But for now it’s not an issue.

Why give Google such power to control all your traffic?
You might say that you already do that with your ISP and you are right! but your ISP isn’t Google they only provide internet service not all the other stuff Google is involved with.

Google cares about security to a certain point, beyond this point they shift to $$$ and consider many other things to relate this service with the endless services they offer, Google is not a security firm, they do everything now from mobile phone to operating systems. Security is of little concern to them, It cannot be any other way and their actions over the last few years show that it is an aggressive control seeking big money corporation that all of the world already need to use(if you do not use the Google search it is really your loss so you cant just stop it).

Do you really want Google to control every bit of communication coming out of your computer? I know I don’t, the email and web search are enough for me. They already scan my mail but apparently it is not enough and their new goal is to control all my traffic, the ads I watch, the porn I watch and EVERYTHING ELSE

Google crossed to ‘the dark side’, sometime after they bought you-tube, there is no reason to feed them with more power so naturally don’t go for Google DNS.

Yesterday I have tested the Google DNS server in my PS3. The download of a 217mb lage video-file reduces to 90 seconds (Internet via cable modem DS 20.000 / US 1.024). Using the original DNS server of my provider the same download terminated after 4 to 5 minutes. During online-playing I didn’t remark any problem. I cannot really say, if there is an improvement as the games are working online in the same speed. It could be that the data-queries and data-responses from the internet and to the internet is more fluent with the Google DNS server.

I will try for another few days the google servers and if there won’t be any problems, the Google DNS server will be the first server to use. and it is a big difference to spend only 90 secnds for a 217mb donwload as waiting 4 to 5 minutes!!!! :-)